Tag Archives: best practice

So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I. I also will begin focusing my posts on my dedicated portal for such topics and (attempt) to limit my writings here to on-topic. I hope you will continue to join me on the new(er) site and the other media platforms.

Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.

Onward then …

Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:

Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)

Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering

Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.

The securing of information assets is the core to ensuring operational integrity for every business, and is supported by security and compliance safeguards. The near constant stream of innovation over the past 10 years has provided near ubiquitous wire(less) connectivity to an abundant number of devices. Matched equally to this innovation and connectivity is the transportability of data. Of course the data must be transported and portable; however, it must be done in a manner that supports the organization’s entire strategic objectives.
The reality of wireless technology has reached a crescendo with regards to WIFI / 802.11 within the payment card industry where encryption and two factor authentication was required to leverage these technologies. Due to a number of data breaches (presumably), specific wireless technology is being banned from the payment card network. Guidance on the wireless guidelines may be found here.
These lessons – that wireless technology can be eavesdropped; that the data can float literally anywhere (for confirmation turn on your wireless network card on an airplane and fire up a DHCP gateway application); that the only way to secure it is through strong crypto and TWO factor authentication. All of these seem clear, but the last one should be elaborated on to understand that risks of Bluetooth and RFID.
2 Factor authentication beyond ensuring the identity of the individual provides a far more important safeguard – that the user intended to make a connection and goes through the handshake process. This does not exist in these other technologies, and creates a great deal of risk to the users of these systems.
To provide specific context to why Bluetooth and RFID are risky business without proper safeguards consider the following:

DefCon radio scanners “read” and “recorded” the information off of security badges from the attendees. This is the most security conscious / paranoid group that you can assemble, and this scanner caught unsecured badges.

The data on these RFID type devices contains things as simple as identifiers to full names and departments.

(iphone focus of post, but applicable to all such capable devices) prior to getting on a plane TO Blackhat / DefCon. The reason is simple: it is near certain that someone is running a scanner.

In the end these technologies do provide essential functions, but should cautiously deployed where security can be ensured and is tested properly. Care should be given to the information applied to these transmitting devices.
NIST has a nice document here (800-98)